problem setting up ssh-krb5 from Debian Sarge

Christopher D. Clausen cclausen at
Tue Nov 2 01:21:02 EST 2004

Wes Chow wrote:
>> Well, check your /etc/hosts file.  I believe that Debian puts the
>> hostname on the line.  This is not good.
> Yeah I saw other postings about that, so I fixed it...
>> You have libpam-openafs-session installed.  Are you using it as a
>> session module also?
>> session    required
> I tried putting that line in /etc/pam.d/common-session and now I'm
> getting this in auth.log:
> Oct 30 01:09:18 jack sshd[529]: Authorized to wchow, krb5 principal
> wchow at D2702.
> ATHENACR.COM (krb5_kuserok)
> Oct 30 01:09:18 jack sshd[529]: pam_openafs-krb5: open_session: Could
> not find K
> erberos tickets; not running aklog
> Oct 30 01:09:18 jack sshd[529]: (pam_unix) session opened for user
> wchow by (uid
> =0)
> Oct 30 01:09:18 jack sshd[529]: Accepted gssapi for wchow from
> port
> 33003 ssh2

I assume that you have "UsePrivilegeSeparation no" in your sshd_config 
file? as having this set to yes seems to cause the behaviour that you 
describe with not getting AFS tokens at login.

Christopher D. Clausen
ACM at UIUC SysAdmin 

More information about the Kerberos mailing list